[Question] - Tokens, Previews, and Automated CI in NuxtHub

[onmax]

Hi NuxtHub Team,

We're currently managing a project where multiple developers create and push their own branches. Given that NuxtHub automatically deploys all branches by default, we're looking to better understand potential security implications. Specifically, we're concerned about scenarios such as compromised GitHub accounts pushing unauthorized code, potentially exposing tokens from NuxtHub and Cloudflare.

We considered modifying our GitHub actions to restrict deployments to the main branch and limiting write access via pull requests. However, we'd greatly appreciate guidance or documentation on existing safeguards and recommended best practices.

Additionally, could you please clarify if a security incident in one project could impact other projects within the same team, or if isolation between projects is maintained?

Thanks very much for your support!

[skoenfaelt]

If the attacker has the user token and the project key, he can deploy via local terminal (its a feature ^^)

I have a PR where I document how to build a gitlab-ci. I added rules, which deploys automatically only in main and staging branches. You have the ci code, so you are free to change the rules like you want.

The most valuable data is the user access token. Secure this as good as you can (do not store it in the repo), then you should be good.
Also change your nuxthub user access token every X months.

[onmax]

Thank you for your reply.

However, I would like to know if the attacker could retrieve the token by executing code from the server side.

For example, the attacker could write

export default defineEventHandler(() => {
   return useRuntimeConfig().hubProjectDeployToken
})

Is this even possible? I know that the token is encrypted, but I would still like to confirm.

[atinux]

Hi @onmax

Sorry for the delay, missed your issue.
If you use the NuxtHub GitHub action, no user tokens will be shared so it truely limit the scope of what's possible.

If a GitHub account is compromised (and you limit creating PR and not pushing to main branch), he would only be possible to run database queries / migrations at build time on the preview database, or create new resources (by setting hub.blob = true for example in the nuxt.config.ts).